Merchants React to New Data Theft Concerns
A misconfiguration in Microsoft Powers Apps exposed 38 million data records last month, including Covid-19 vaccination statuses, social security numbers, and email addresses. The breach came just a week after T-Mobile announced that data had been stolen from more than 40 million former or prospective customers.
As more digital marketing and customer management solutions come online, security breaches are happening with increasing frequency. The threat is becoming a real issue for merchants, who are now faced with growing concerns among consumers and tightened privacy restrictions from government controllers.
With 65% of shoppers saying they are likely to terminate a relationship with a merchant after experiencing a single incident of data theft or payment fraud, it’s clear that something has to change.
Merchants are looking at the proactive steps they can take to protect the customer data they hold.
“The reality is that it’s not that difficult for any company to be breached today,” says Ruston Miles, founder of the cybersecurity company Bluefin. “Hackers have developed so many methods and diverse threat vectors to break into a system or network that it’s not about protecting the perimeter anymore – although that is always important – but making what’s inside that perimeter absolutely useless.”
Miles says merchants need to make security a priority or they risk losing customers.
“Most of the high-profile data breaches and resulting fines that have been making the news for the past decade have been related to payment data,” Miles says. “This is because stolen payment card data can be quickly and easily sold on the dark web to fraudsters who in turn use it to make fraudulent purchases.”
Data Theft vs. Breach
Understanding the extent of the cybersecurity issue means knowing the difference between a data breach, data theft, and data compromise. The terms are often used interchangeably, but they are different. A breach occurs any time a hacker gains unauthorized access to data, whether they steal it or not. Data theft involves a hacker extracting data from an enterprise’s systems. A compromise occurs when hackers sell, expose, or otherwise exploit data they’ve stolen. This matters because all companies can be breached, but with proper technology in place, they can avoid theft and compromise.
Tactics like two-factor authentication to strengthen password protection and training employees to spot phishing emails are common cybersecurity efforts that aim to prevent data breaches and data theft. These efforts strengthen the digital “walls” protecting sensitive data. However, enterprises need to operate under the assumption that every wall has its gaps. Eventually, a hacker will break through, and unless a merchant has made its data useless to hackers, a compromise is likely to occur.
The European Union and the US have implemented significant data privacy regulations over the last few years, passing out large fines for data breaches that include personally identifiable information (PII), whether or not payment card data is included. For this reason, Miles says his company has been seeing a lot more coverage of non-payment card data breaches, even though these types of breaches have been going on for a long time.
Miles recommends that merchants devalue their data, which means encrypting or tokenizing it so that, even if it is breached, it is too difficult to be worth stealing or selling. For long-term data storage, he recommends tokenization.
“Tokenization substitutes each piece of PII with a pseudonym, such as a random string of numbers, that will be stored in the company’s storage resources instead of the PII itself. This ‘token’ has no exploitable value for hackers,” Miles says. “Trying to keep hackers out is an important part of security. However, hackers can often get around even the best security and breach vulnerable networks. This is why devaluing the data is so important. Even if the hacker is able to breach the network defenses they are not able to compromise the data because it has been tokenized.”
Stephanie Miles is a senior editor at Street Fight.
